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Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner's Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please 
telephone 0303 123 1113 and ask to speak to the Policy 
Engagement Department about the Age Appropriate Design code or 


email_ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
our privacy notice. 


Section 1: Your views 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


Yes 

Telefonica UK Limited are supportive of what this code is looking to 
achieve and aligns with the close partnership we have with the NSPCC 
supporting child safety online (see https://www.o2.co.uk/help/nspcc). 


Q2. Is the ‘Services covered by this code’ section of the code clearly 
communicated? 


No 

We would like further granularity and examples to help clarify which 
services are in and out of scope. Our core connectivity services consist 
of voice telephony (both traditional circuit switched telephony and 
‘calling over wi-fi’), text messaging, and internet access, supported by 
value added services such as apps for customer account self- 
management. Whilst we appreciate that core telephony and VOIP 
services are out of scope, we would like further clarity on the scope 
particularly with regards customer account self-management 
applications and the internet access service (as opposed to services 
provide over the internet access). 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 
against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be ‘high privacy’ by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 

personal data necessary to provide the elements of your service in which 
a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children's data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child's location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 
parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 
access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 


Yes 


If NO, then please provide your reasons for this view. 


2. Age-appropriate application 
Yes 


If NO, then please provide your reasons for this view. 
3. Transparency 
Yes 


If NO, then please provide your reasons for this view. 
4. Detrimental use of data 


Yes 


If NO, then please provide your reasons for this view. 


5. Policies and community standards 
Yes 


If NO, then please provide your reasons for this view. 
6. Default settings 
Yes 


If NO, then please provide your reasons for this view. 
7. Data minimisation 
Yes 


If NO, then please provide your reasons for this view. 
8. Data sharing 
Yes 


If NO, then please provide your reasons for this view. 


9. Geolocation 
Yes 


If NO, then please provide your reasons for this view. 
10. Parental controls 
Yes 


If NO, then please provide your reasons for this view. 


11. Profiling 
Yes 


If NO, then please provide your reasons for this view. 


12. Nudge techniques 
Yes 


If NO, then please provide your reasons for this view. 
13. Connected toys and devices 
Yes 


If NO, then please provide your reasons for this view. 
14. Online tools 
Yes 


If NO, then please provide your reasons for this view. 
15. Data protection impact assessments 
Yes 


If NO, then please provide your reasons for this view. 
16. Governance and accountability 


Yes 


If NO, then please provide your reasons for this view. 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


1. Best interests of the child 


Yes 


Please refer to our close partnership with the NSPCC. (see 
https://www.02.co.uk/help/nspcc). 


2. Age-appropriate application 
No 


If YES, then please provide details. 
3. Transparency 
No 


If YES, then please provide details. 


4. Detrimental use of data 


No 


If YES, then please provide details. 


5. Policies and community standards 
No 


If YES, then please provide details. 
6. Default settings: 
No 


If YES, then please provide details. 
7. Data minimisation 
No 


If YES, then please provide details. 
8. Data sharing 
No 


If YES, then please provide details. 
9. Geolocation 
No 


If YES, then please provide details. 
10. Parental controls 
No 


If YES, then please provide details. 
11. Profiling 
No 


If YES, then please provide details. 
12. Nudge techniques 


No 
If YES, then please provide details. 


13. Connected toys and devices 
No 


If YES, then please provide details. 


14. Online tools 
No 


If YES, then please provide details. 


15. Data protection impact assessments 
No 


If YES, then please provide details. 
16. Governance and accountability 


No 


If YES, then please provide details. 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 
No 
If YES, then please provide your reasons for this view. 


2. Age-appropriate application 
Yes 


In order to comply with the Code it may be that certain products and 
services are withdrawn for under 18 year olds, reducing choice, not least 
given that adapting the product or service could potentially require two or 
more age appropritate versions. 

3. Transparency 

No 


If YES, then please provide your reasons for this view. 
4. Detrimental use of data 


No 
If YES, then please provide your reasons for this view. 


5. Policies and community standards 
No 


If YES, then please provide your reasons for this view. 
6. Default settings 
No 


If YES, then please provide your reasons for this view. 
7. Data minimisation 
No 


If YES, then please provide your reasons for this view. 
8. Data sharing 
No 


If YES, then please provide your reasons for this view. 
9. Geolocation 
No 


If YES, then please provide your reasons for this view. 
10. Parental controls 
No 


If YES, then please provide your reasons for this view. 
11. Profiling 
No 


If YES, then please provide your reasons for this view. 
12. Nudge techniques 
No 


If YES, then please provide your reasons for this view. 
13. Connected toys and devices 
No 


If YES, then please provide your reasons for this view. 
14. Online tools 
No 


If YES, then please provide your reasons for this view. 
15. Data protection impact assessments 
No 


If YES, then please provide your reasons for this view. 


16. Governance and accountability 
No 


If YES, then please provide your reasons for this view. 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


1. Best interests of the child 
No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


2. Age-appropriate application 
Yes 


Our business has a large range of products and services, anda 
complex IT estate. Reviewing every one of those products and services, 
determining applicability and compliance to age appropriate design and 
making any changes needed will be a resource and time intensive 
process. In fact we estimate not a different magnitude of effort 
compared to the broader GDPR implementation. Many products and 
services may require age verification and monitoring of users for a 
period to time to determine if the service is accessed by children. In 
addition, we will need to review and update age-verfication prcoesses 
with any service identified as requiring age appropriate action. With the 
default position being that a user is a child until proven as an adult we 
will be forced to implement robust age verification in a complex IT 
environment which will require significant time and cost. Further, if we 
want to ensure services are available for use by children, the 
requirements to have numerous different iterations of a service to suit 
varying age levels will be challenging. 

3. Transparency 

Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then making any necessary 
changes to ensure transparency. This will not be a trivial activity that 
will take some time to complete. 

4. Detrimental use of data 


No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


5. Policies and community standards 
No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

6. Default settings 

Yes 


Please see our comments above relating to age appropriate application. 
7. Data minimisation 
Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then if necessary, making any 
changes to ensure the Data Minimisation standard is met. This will not 
be a trivial activity that will take some time to complete. 

8. Data sharing 

Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then if necessary, making any 
changes to ensure the Data Sharing standard is met. This will not be a 
trivial activity that will take some time to complete. 

9. Geolocation 

Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then if necessary, making any 
changes to ensure the Geolocation standard is met. This will not be a 
trivial activity that will take some time to complete. 

10. Parental controls 

Yes 


Where we are dependent on third party providers for products with 
parental controls we will need to review and ensure that they comply to 
this standard. 


11. Profiling 
Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then if necessary, making any 
changes to ensure the Data Profiling standard is met. This will not be a 
trivial activity that will take some time to complete. 

12. Nudge techniques 


Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then if necessary, making any 
changes to ensure the Nudge Techniques standard is met. This will not 
be a trivial activity that will take some time to complete. 

13. Connected toys and devices 

No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

14. Online tools 

Yes 


We have many products and services that will need reviewing, 
assessing whether this Code applies and then if necessary, making any 
changes to ensure that appropriate Online tools are aviaible. This will 
not be a trivial activity that will take some time to complete. 

15. Data protection impact assessments 

No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
16. Governance and accountability 


No 
If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


1. Best interests of the child 


Yes 


12 months. We are a large organsation with many thousands of 
employees and many millons of customers. In addition, any design or 
product changes take a long period to implement, not least given that 
we will need to engage third parties to produce changes and we will 
need to go through a period of testing. 


2. Age-appropriate application 


Yes 


We predict that this will take a minimum of 12-18 months. Our 
business has a large range of products and services, and a complex IT 
estate. We will need to implement robust age-verfication available and 
any service identified as requiring age appropriate action will need to be 
amended to include age verification. Due to the number of products and 
services potentially impacted and the complexity of our IT estate and 
business processes an IT project of this scale requires a significant 
length of time to implement fully. 

3. Transparency 

Yes 


6-9 months. We have a large number of products and services. 
Reviewing all our products and services and then amending any 
information appropriately will take time to complete to an appropriate 
level of quality. 

4. Detrimental use of data 


Yes 


12-18 months. We have many products and services that will need to 
be reviewed and audited against the standard. Sucessful 
implementation is assumed to be dependent on a robust age verification 
implementation. If changes are identified to meet the standard it may 
require significant effort to design and implement. We will also need to 
identify any third party products and services that may not comply to 
the regulation and if required make contractual changes. A longer time 
period is required to allows for these changes to be applied and any 
technical changes to be implemented. 


5. Policies and community standards 
No 


6. Default settings 
Yes 


12-18 months. We have many products and services that will need to 
be reviewed and audited against the standard. Sucessful 
implementation is assumed to be dependent on a robust age verification 
implementation. If changes are identified to meet the standard it may 
require significant effort to design and implement. 

7. Data minimisation 
Yes 


12-18 months, We have many products and services that will need to 
be reviewed and audited against the standard. Sucessful 


implementation is assumed to be dependent on a robust age verification 
implementation. If changes are identified to meet the standard it may 
require significant effort to design and implement. 

8. Data sharing 

Yes 


12-18 months. We have many products and services that will need to 
be reviewed and audited against the standard. Sucessful 
implementation is assumed to be dependent on a robust age verification 
implementation. If changes are identified to meet the standard it may 
require significant effort to design and implement. 


9. Geolocation 
Yes 


12-18 months. We have many products and services that will need to 
be reviewed and audited against the standard. Sucessful 
implementation is assumed to be dependent on a robust age verification 
implementation. If changes are identified to meet the standard it may 
require significant effort to design and implement. 

10. Parental controls 
Yes 


6-9months. We will have to work with third parties to ensure their 
products are compliant so a reasonable period of time will be required 
to achieve this. 

11. Profiling 

Yes 


12-18 months. This is assumed to be dependent on any robust age 
verification work. We are currently uncertain of the impact in this area 
but if we have to review all customer journeys for all our products and 
services this will require significant effort and then time to design and 
implement any changes if identified. 

12. Nudge techniques 
Yes 


12-18 months. This is assumed to be dependent on any robust age 
verification work. We are currently uncertain of the impact in this area 
but if we have to review all customer journeys for all our products ans 
services this will require significant effort and then time to design and 
implement any changes if identified. 

13. Connected toys and devices 
No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

14. Online tools 

Yes 


12-18 months. This is assumed to be dependent on any robust age 
verification work. We are currently uncertain of the impact in this area 
but if any significant work is required we will need a reasonable amount 
of time to deliver. 

15. Data protection impact assessments 
No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


16. Governance and accountability 


No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


1. Best interests of the child 
No 
If YES, then please provide details (including links). 


2. Age-appropriate application 
No 


If YES, then please provide details (including links). 
3. Transparency 
No 


If YES, then please provide details (including links). 


4. Detrimental use of data 
No 
If YES, then please provide details (including links). 


5. Policies and community standards 
No 


If YES, then please provide details (including links). 
6. Default settings 
No 


If YES, then please provide details (including links). 
7. Data minimisation 
No 


If YES, then please provide details (including links). 
8. Data sharing 
No 


If YES, then please provide details (including links). 
9. Geolocation 
No 


If YES, then please provide details (including links). 
10. Parental controls 
No 


If YES, then please provide details (including links). 
11. Profiling 
No 


If YES, then please provide details (including links). 
12. Nudge techniques 
No 


If YES, then please provide details (including links). 
13. Connected toys and devices 
No 


If YES, then please provide details (including links). 
14. Online tools 
No 


If YES, then please provide details (including links). 
15. Data protection impact assessments 
No 


If YES, then please provide details (including links). 
16. Governance and accountability 


No 


If YES, then please provide details (including links). 


Q10. Is the ‘Enforcement of this code” section clearly communicated? 


Yes 


Q11. Is the ‘Glossary’ section of the code clearly communicated? 


No 

We are unclear about the interplay between the definition of child in 
the Code and the age stated in section 9 of the Data Protection Act 
2018. 


Q12. Are there any key terms missing from the ‘Glossary’ section? 
No 


If YES, then please provide your reasons for this view. 


Q13. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 


Yes 


If NO, then please provide your reasons for this view. 


Q14. Is there any information you think needs to be changed in the 
"Annex A: Age and developmental stages’ section of the code? 


No 
If YES, then please provide your reasons for this view. 


Q15. Do you know of any online resources that you think could be 
usefully linked to from the ‘Annex A: Age and developmental 
stages’ section of the code? 


No 
If YES, then please provide details (including links). 


Q16. Is the ‘Annex B: Lawful basis for processing’ section of the 
code clearly communicated? 


Yes 
If NO, then please provide your reasons for this view. 


Q17. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


Yes 
If NO, then please provide your reasons for this view. 


Q18. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


No 


If YES, then please provide details (including links). 


Section 2: About you 


Åre you: 


A body representing the views or interests of children? 


Please specify: 


A body representing the views or interests of parents? 


Please specify: 


A child development expert? 


Please specify: 


An Academic? 


Please specify: L] 
An individual acting in another professional capacity? 

Please specify: L] 
A provider of an ISS likely to be accessed by children? 

Please specify: 
TELEFONICA UK LIMITED 

A trade association representing ISS providers? 

Please specify: L] 
An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the L] 
public or a parent)? 

An ICO employee? L] 


Other? 


Please specify: 


Thank you for responding to this consultation. 


We value your input. 


